CSS321_IP5

.docx

School

Colorado Technical University *

*We aren’t endorsed by this school

Course

321

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

17

Uploaded by EarlKoalaPerson755

Report
CSS321-2304B-01, Software Assurance Individual Project – Week 5
Table of Contents Unit 1 – Project Outline ............................................................................................................................... 3 Company Description .............................................................................................................................. 3 Applications Provided .............................................................................................................................. 3 Software Development Methods ............................................................................................................. 3 Unit 1 – Security in the Development Life Cycle .......................................................................................... 5 Software Development Lifecycle .............................................................................................................. 5 Security Development Lifecycle ............................................................................................................... 5 Unit 2 – Software Assurance Techniques ..................................................................................................... 7 Analysis .................................................................................................................................................... 7 Guidelines ................................................................................................................................................ 8 Unit 3 – Security in Nontraditional Development Models ......................................................................... 10 Nontraditional Development Model ...................................................................................................... 10 Major Steps in Rapid Application Development .................................................................................... 10 Security Risks ......................................................................................................................................... 11 Unit 4– Security Static Analysis .................................................................................................................. 12 Application Design ................................................................................................................................. 12 Sample Vulnerability Code ..................................................................................................................... 12 Security Analysis Tools ........................................................................................................................... 13 Unit 5– Software Assurance Policies and Processes .................................................................................. 15 Software Assurance Training .................................................................................................................. 15 Software Assurance Metrics .................................................................................................................. 15 Roles and Responsibilities ...................................................................................................................... 16 References ................................................................................................................................................. 17
Unit 1 – Project Outline Company Description Amazon Web Services, a subsidiary of Amazon, holds 34% of the current market when it comes to cloud computing. AWS was launch 17 years ago in 2006, and the team that designed it was called S3. S3 had a huge challenge Infront of them and had to design a service that would provide storage for developers. They had a goal in mind that one they simply put as, “The system should be made as simple as possible (but no simpler)." What they landed on was a completely new system that used "objects," "buckets," and "keys" to offer secure internet storage that developers could use and afford at $0.15 per gigabyte of storage per month (the price for what is now called S3 Standard storage has since dropped to about $0.02 per gig per month)[ CITATION Ama21 \l 1033 ]. Applications Provided When it comes to cloud computing AWS offers over 200 fully featured services to customers globally. Some of the top AWS services include Amazon EC2, Amazon RDS, Amazon S3, Amazon Lambda, and Amazon Cognito[ CITATION Tra23 \l 1033 ]. The services offer things from virtualization, database servers, to backup storage servers. AWS even offers a service called Amazon Workforce, where users can login to a virtual environment and collaborate on a project, or even work on their own projects not just from an APP on their desktop, but also from their phone, or even by simply logging into a website to gain access. Software Development Methods AWS loves decomposition, automation, and organizing developments around what customers want when they are developing software. They focus on a DevSecOps methodology, DevSecOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to
deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes[ CITATION Sta \l 1033 ]. This also allows them to combine certain teams that normally worked separate and speed up the process to deliver quality software.
Unit 1 – Security in the Development Life Cycle Software Development Lifecycle AWS uses the methodology of DevSecOps when it comes to SDLC, and they do it in a unique way. AWS and Amazon implement something called the “Two-Pizza Team”. The reason they do this is because small teams have minimized bureaucracy and maximized time to focus on innovating for customers, which in turn raises employee satisfaction, mitigate the Ringelmann Effect (the tendency for individual productivity to decrease in larger groups), allows teams to run fast, experiment early and frequently, and apply learnings rapidly to constantly drive value to their customers, helps lower the costs of failure – your learnings come quicker and at lower stakes than you may have otherwise faced at later stages of development[ CITATION Sta23 \l 1033 ]. These small teams are not just the developers, they are also the operators of the front-end equipment, and the team also handles security issues during and after the development of a service. Another great concept to these teams is that they have what Amazon calls single-threaded ownership, which the teams are only focused on that one service and nothing else. This is great for customers because if a problem arises and customer support can’t handle it, you as the customer know that when the ticket gets pushed higher someone who developed the service is going to figure the solution. Security Development Lifecycle With AWS using a DevSecOps methodology, security is integrated during the software development lifecycle. The Two-Pizza Teams that AWS forms handle the initial risk assessment when planning a project, and they are the ones who figure out fixes as vulnerabilities arise from customers or testing. Teams are held accountable when it comes to security. At Amazon if a security vulnerability is found or the team is made aware of it the CISO and CEO need to be made aware of it as soon as possible as well.
AWS allow makes the teams follow principles and tenants with security issues. They are ownership, insist on the highest standards, dive deep, and stay simple. With ownership the team is the owner of the product, and it is their responsibility to fix the security issue. Insist on the highest standards is that the leaders of the teams hold their teams to the highest standard and don’t let poor quality products be released. Dive deep is where the teams need to dive to the deepest part of service to locate and fix vulnerabilities, and to make sure the service is free from other vulnerabilities. Stay simple is a way for Amazon to have teams write not simple code but use code that is needed to make the service a success. AWS integrates security into development by a three-pillar system. They are policy, process, and tools. With policies these are given to teams to give them the guidelines to follow as they develop the service. These include security polices, security training, data encryption standards, PII and CII handling standards, and compliance requirements[ CITATION Col19 \l 1033 ]. Security processes include security reviews, penetration testing, and formal verification. Security reviews are started from the early stages in development and periodically after that. Throughout the lifecycle penetration testing is done to locate any possible vulnerabilities there may be. Formal verification is something that is done by an Automated Reasoning Group, and they verify the code for any possible errors that may need to be fixed. The final pillar is tools and AWS offers many tools to developers to help with security. Thes include toolkits with already provide things like TLS/SSL, Access Management, AWS Config, and others.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help